@@ -31,25 +31,15 @@ If needed, it can be disabled from a :term:`configuration file`::
INHERIT_DISTRO:remove = "create-spdx"
-Upon building an image, you will then get:
-
-- :term:`SPDX` output in JSON format as an ``IMAGE-MACHINE.spdx.json`` file in
- ``tmp/deploy/images/MACHINE/`` inside the :term:`Build Directory`.
-
-- This toplevel file is accompanied by an ``IMAGE-MACHINE.spdx.index.json``
- containing an index of JSON :term:`SPDX` files for individual recipes.
-
-- The compressed archive ``IMAGE-MACHINE.spdx.tar.zst`` contains the index
- and the files for the single recipes.
+Upon building an image, you will then get the :term:`SPDX` output in JSON format
+as an ``IMAGE-MACHINE.spdx.json`` file in ``tmp/deploy/images/MACHINE/`` inside
+the :term:`Build Directory`.
The :ref:`ref-classes-create-spdx` class offers options to include
more information in the output :term:`SPDX` data:
- Make the json files more human readable by setting (:term:`SPDX_PRETTY`).
-- Add compressed archives of the files in the generated target packages by
- setting (:term:`SPDX_ARCHIVE_PACKAGED`).
-
- Add a description of the source files used to generate host tools and target
packages (:term:`SPDX_INCLUDE_SOURCES`)
@@ -62,8 +52,6 @@ more information in the output :term:`SPDX` data:
- Export the recipe's ``PACKAGECONFIG`` features (enabled/disabled) into the
SPDX document (:term:`SPDX_INCLUDE_PACKAGECONFIG`).
-- Add archives of these source files themselves (:term:`SPDX_ARCHIVE_SOURCES`).
-
- Exclude specific files from the SPDX output using Python regular expressions
(:term:`SPDX_FILE_EXCLUDE_PATTERNS`).
@@ -82,28 +70,16 @@ more information in the output :term:`SPDX` data:
(:term:`SPDX_INCLUDE_BITBAKE_PARENT_BUILD`, :term:`SPDX_INVOKED_BY`,
:term:`SPDX_ON_BEHALF_OF`).
-Though the toplevel :term:`SPDX` output is available in
-``tmp/deploy/images/MACHINE/`` inside the :term:`Build Directory`, ancillary
-generated files are available in ``tmp/deploy/spdx/MACHINE`` too, such as:
-
-- The individual :term:`SPDX` JSON files in the ``IMAGE-MACHINE.spdx.tar.zst``
- archive.
-
-- Compressed archives of the files in the generated target packages,
- in ``packages/packagename.tar.zst`` (when :term:`SPDX_ARCHIVE_PACKAGED`
- is set).
-
-- Compressed archives of the source files used to build the host tools
- and the target packages in ``recipes/recipe-packagename.tar.zst``
- (when :term:`SPDX_ARCHIVE_SOURCES` is set). Those are needed to fulfill
- "source code access" license requirements.
-
See also the :term:`SPDX_CUSTOM_ANNOTATION_VARS` variable which allows
to associate custom notes to a recipe.
See the `tools page <https://spdx.dev/resources/tools/>`__ on the :term:`SPDX`
project website for a list of tools to consume and transform the :term:`SPDX`
data generated by the OpenEmbedded build system.
+See the definition of the variables starting with ``SPDX_`` in the
+:doc:`Yocto Project Reference Manual glossary </ref-manual/variables>` for more
+information.
+
See also Joshua Watt's presentations
`Automated SBoM generation with OpenEmbedded and the Yocto Project <https://youtu.be/Q5UQUM6zxVU>`__
at FOSDEM 2023 and
@@ -559,8 +559,8 @@ The toplevel :term:`SPDX` output file is generated in JSON format as a
as well as in ``tmp/deploy/spdx``.
The exact behaviour of this class, and the amount of output can be controlled
-by the :term:`SPDX_PRETTY`, :term:`SPDX_ARCHIVE_PACKAGED`,
-:term:`SPDX_ARCHIVE_SOURCES` and :term:`SPDX_INCLUDE_SOURCES` variables.
+by the :term:`SPDX_PRETTY`, :term:`SPDX_INCLUDE_SOURCES` and other variables
+starting with with ``SPDX_``.
See the description of these variables and the
":ref:`dev-manual/sbom:creating a software bill of materials`"
@@ -9324,56 +9324,6 @@ system and gives an overview of their function and contents.
SOURCE_MIRROR_URL = "http://example.com/my_source_mirror;user=<user>;pswd=<password>"
- :term:`SPDX_ARCHIVE_PACKAGED`
- This option allows to add to :term:`SPDX` output compressed archives
- of the files in the generated target packages.
-
- Such archives are available in
- ``tmp/deploy/spdx/MACHINE/packages/packagename.tar.zst``
- under the :term:`Build Directory`.
-
- Enable this option as follows::
-
- SPDX_ARCHIVE_PACKAGED = "1"
-
- According to our tests on release 4.1 "langdale", building
- ``core-image-minimal`` for the ``qemux86-64`` machine, enabling this
- option multiplied the size of the ``tmp/deploy/spdx`` directory by a
- factor of 13 (+1.6 GiB for this image), compared to just using the
- :ref:`ref-classes-create-spdx` class with no option.
-
- Note that this option doesn't increase the size of :term:`SPDX`
- files in ``tmp/deploy/images/MACHINE``.
-
- :term:`SPDX_ARCHIVE_SOURCES`
- This option allows to add to :term:`SPDX` output compressed archives
- of the sources for packages installed on the target. It currently
- only works when :term:`SPDX_INCLUDE_SOURCES` is set.
-
- This is one way of fulfilling "source code access" license
- requirements.
-
- Such source archives are available in
- ``tmp/deploy/spdx/MACHINE/recipes/recipe-packagename.tar.zst``
- under the :term:`Build Directory`.
-
- Enable this option as follows::
-
- SPDX_INCLUDE_SOURCES = "1"
- SPDX_ARCHIVE_SOURCES = "1"
-
- According to our tests on release 4.1 "langdale", building
- ``core-image-minimal`` for the ``qemux86-64`` machine, enabling
- these options multiplied the size of the ``tmp/deploy/spdx``
- directory by a factor of 11 (+1.4 GiB for this image),
- compared to just using the :ref:`ref-classes-create-spdx`
- class with no option.
-
- Note that using this option only marginally increases the size
- of the :term:`SPDX` output in ``tmp/deploy/images/MACHINE/``
- (+ 0.07\% with the tested image), compared to just enabling
- :term:`SPDX_INCLUDE_SOURCES`.
-
:term:`SPDX_BUILD_HOST`
The base variable name describing the build host on which the build is
running. The value must name a key from ``SPDX_IMPORTS``, allowing
SPDX2.2 was removed in [1]. Refresh the documentation surrounding SDPX SBOMs to removed obsolete variables and output files. [1]: https://git.openembedded.org/openembedded-core/commit/?id=12abd0574c267bade0962ecb39d9e8da8c56842b Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> --- documentation/dev-manual/sbom.rst | 38 +++++--------------------- documentation/ref-manual/classes.rst | 4 +-- documentation/ref-manual/variables.rst | 50 ---------------------------------- 3 files changed, 9 insertions(+), 83 deletions(-)